flickr: Mike Mozart

Applebee's locations run by RMH are dealing with a security breach.

More than 160 Applebee's Hit with Security Breach

The incident affects payment cards used at RMH-owned locations.

RMH Franchise holdings announced on its website that is has been hit by a security breach at its more than 160 Applebee’s restaurants.

“RMH Franchise Holdings recently learned about a data incident affecting certain payment cards used at RMH-owned Applebee’s restaurants that we operate as a franchisee,” the company said. This includes 167 restaurants in Alabama, Arizona, Florida, Illinois, Indiana, Kansas, Kentucky, Missouri, Mississippi, Nebraska, Ohio, Pennsylvania, Texas, and Wyoming—nearly all of the units run by RMH. Since the company operates its point-of-sale systems isolated from the broader Applebee’s network, the notice only applies to RMH-run stores.

RMH said it “promptly launched an investigation and obtained the help of leading cyber security forensics firms,” upon learning of the potential incident. Experts found that unauthorized software placed on the POS system at certain RMH-run Applebee’s was designed “to capture payment card information and may have affected a limited number of purchases made at those locations.”

Here’s how it breaks down:

  • Alabama: 2
  • Arizona: 23
  • Texas: 15
  • Wyoming: 5
  • Indiana: 21
  • Ohio: 44
  • Oklahoma: 6
  • Pennsylvania: 1
  • Kansas: 3
  • Kentucky: 14
  • Florida: 4
  • Illinois: 15
  • Missouri: 2
  • Mississippi: 1
  • Nebraska: 16

This involved gleaning guests’ names, credit or debit card numbers, expiration dates, and card verifications codes processed during limited time periods, RMH said. The dates vary by location.

The breach was discovered on February 13 and, in most of the cases, the malware was active on POS systems between December 6 and January 2018. In some it had been present since November 23 or December 5. RMH added that online payments and tabletop devices were not affected. A full list of restaurants and dates can be found here.

“Moving forward, RMH is continuing to closely monitor its systems and review its security measures to help prevent something like this from happening again,” the company said. “RMH is pleased to report that the incident has been contained and guests may use their cards with confidence at the RMH Applebee’s locations that were affected by this incident

Security breaches have plagued the restaurant industry in recent months, mostly on the quick-service side, although Shoney’s admitted an incident in April.

In the limited-service arena, Jason’s Deli, Arby’s, Sonic Drive-In, Chipotle, Pizza Hut, and Wendy’s grappled with breaches.

“Point-of-sale security has become an enormous challenge for the hospitality industry as attackers increasingly target POS vulnerabilities to access sensitive data,” Fred Kneip, CEO of CyberGRX, said in a statement. “The Applebee’s breach is the latest in a long line of similar attacks to quick service restaurants, including Sonic, Chipotle, and Wendy’s. Chain restaurants not only need a real-time feed of threats emanating from vendors to mitigate malicious access to their networks, they need to measure and monitor how other third parties like franchisees and divisions are managing this type of risk.”